From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
YueHaibing <yuehaibing@huawei.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 56/77] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
Date: Thu, 23 May 2019 21:06:14 +0200 [thread overview]
Message-ID: <20190523181727.691643997@linuxfoundation.org> (raw)
In-Reply-To: <20190523181719.982121681@linuxfoundation.org>
[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
UBSAN report this:
UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
index 6 is out of range for type 'unsigned int [6]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
Call Trace:
<IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
[<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
[<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
[<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
[<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
[<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
[<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
[<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
[<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
[<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
[<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
[<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
[<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
<EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
[<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
[<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
[<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
[<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
[<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
[<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
[<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
[<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
The issue is triggered as this:
xfrm_add_policy
-->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX
//In my case, the index is 0x6E6BB6, so it pass the check.
-->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer
-->xfrm_policy_insert
--> __xfrm_policy_link //use the orgin dir, in my case is 2
--> xfrm_gen_index //generate policy index, there is 0x6E6BB6
then xfrm_policy_timer be fired
xfrm_policy_timer
--> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6
--> xfrm_policy_delete
--> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
valid, to fix the issue.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 9ff9255d2191b..919b8406028cc 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1381,7 +1381,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
ret = verify_policy_dir(p->dir);
if (ret)
return ret;
- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
+ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
return -EINVAL;
return 0;
--
2.20.1
next prev parent reply other threads:[~2019-05-23 19:13 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-23 19:05 [PATCH 4.14 00/77] 4.14.122-stable review Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 01/77] net: avoid weird emergency message Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 02/77] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 03/77] net: test nouarg before dereferencing zerocopy pointers Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 04/77] net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 05/77] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 06/77] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 07/77] vsock/virtio: free packets during the socket release Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 08/77] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 09/77] vsock/virtio: Initialize core virtio vsock before registering the driver Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 10/77] net: Always descend into dsa/ Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 11/77] parisc: Export running_on_qemu symbol for modules Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 12/77] parisc: Skip registering LED when running in QEMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 13/77] parisc: Use PA_ASM_LEVEL in boot code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 14/77] parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 15/77] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 16/77] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 17/77] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 18/77] p54: drop device reference count if fails to enable device Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 19/77] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 20/77] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 21/77] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 22/77] Revert "cifs: fix memory leak in SMB2_read" Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 23/77] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 24/77] PNFS fallback to MDS if no deviceid found Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 25/77] clk: hi3660: Mark clk_gate_ufs_subsys as critical Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 26/77] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 27/77] clk: rockchip: fix wrong clock definitions for rk3328 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 28/77] fuse: fix writepages on 32bit Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 29/77] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 30/77] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 31/77] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 32/77] x86_64: Add gap to int3 to allow for call emulation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 33/77] x86_64: Allow breakpoints to emulate call instructions gregkh
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 34/77] ftrace/x86_64: Emulate call function while updating in breakpoint handler gregkh
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 35/77] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 36/77] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 37/77] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 38/77] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 39/77] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 40/77] objtool: Allow AR to be overridden with HOSTAR Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.14 41/77] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 42/77] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 43/77] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 44/77] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 45/77] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 46/77] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 47/77] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 48/77] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 49/77] PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 50/77] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 51/77] PCI: Factor out pcie_retrain_link() function Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 52/77] PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 53/77] dm cache metadata: Fix loading discard bitset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 54/77] dm zoned: Fix zone report handling Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 55/77] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman [this message]
2019-05-23 19:06 ` [PATCH 4.14 57/77] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 58/77] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 59/77] esp4: add length check for UDP encapsulation Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 60/77] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 61/77] power: supply: cpcap-battery: Fix division by zero Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 62/77] securityfs: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 63/77] apparmorfs: " Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 64/77] mac80211: Fix kernel panic due to use of txq after free Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 65/77] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 66/77] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 67/77] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 68/77] sched/cpufreq: Fix kobject memleak Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 69/77] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 70/77] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 71/77] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 72/77] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 73/77] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 74/77] driver core: Postpone DMA tear-down until after devres release for probe failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 75/77] bpf: add map_lookup_elem_sys_only for lookups from syscall side Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 76/77] bpf, lru: avoid messing with eviction heuristics upon syscall lookup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.14 77/77] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
2019-05-24 0:28 ` [PATCH 4.14 00/77] 4.14.122-stable review Nobuhiro Iwamatsu
2019-05-24 5:53 ` Greg Kroah-Hartman
2019-05-24 3:08 ` kernelci.org bot
2019-05-24 8:46 ` Naresh Kamboju
2019-05-24 11:04 ` Jon Hunter
2019-05-24 11:04 ` Jon Hunter
2019-05-24 18:55 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523181727.691643997@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.